-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-004 CVE: CVE-2018-5390, CVE-2018-5391 Publication Date: 2018-Aug-24 Status: Confirmed Revision: 2 Title ===== Linux Kernel Vulnerabilities in ClearPass and AirWave Overview ======== Two Linux kernel vulnerabilities, known as "SegmentSmack" and "FragmentSmack", have been publicly disclosed. The Linux kernel used by Aruba ClearPass Policy Manager and Aruba AirWave is affected. Other Aruba products are not affected. Affected Products ================= ClearPass 6.6.x ClearPass 6.7.x AirWave prior to 8.2.8 Details ======= The vulnerabilities lead to a denial of service attack by causing the Linux kernel to consume CPU cycles in response to specific network packets. See the following URLs for more information: - - - https://access.redhat.com/security/cve/cve-2018-5390 - - - https://access.redhat.com/security/cve/cve-2018-5391 The underlying operating system used by ClearPass and AirWave is CentOS, which is a downstream derivative of RedHat Enterprise Linux. Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Resolution ========== - Apply hotfixes to ClearPass (when available) - CVE-2018-5390 is fixed in AirWave 8.2.7.1 - CVE-2018-5391 will be fixed in AirWave 8.2.8 Note: Resolution for these issues has necessitated extensive testing, which has led to delays. The CentOS kernel updates to address these issues also include fixes for the Spectre/Meltdown vulnerability. Although Spectre/Meltdown does not directly impact ClearPass or AirWave, the fixes for it may negatively impact performance. Aruba is still in the process of testing and characterizing performance to ensure that customer deployments are not impacted. Hotfixes for ClearPass will be clearly labeled as addressing CVE-2018-5390 and CVE-2018-5391, once they become available. This advisory will be updated with further details once new information becomes available. The latest version of this advisory will always be available at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-004.txt. Workarounds =========== These vulnerabilities can be mitigated by placing ClearPass and AirWave servers behind firewalls or on protected management networks that do not permit connections from untrusted systems. Revision History ================ Revision 1 / 2018-Aug-24 / Initial release Revision 2 / 2018-Nov-9 / Updated AirWave information Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlvljIUACgkQmP4JykWF htk9wQf+PAoeazsKnnV6UYlBjW/6WEhO1dh4+TtH+mnaeaEkymzgqulCkbqkIMYM NA8YXhEHQUB1lYaG1rTEvY5QdJmIbGhJOgWdmtw+vvHMsO+FdWuREwnXn3zqXuSG 7a4OyA7lnnTzD4gDMMg41GIsuO7zIQsClNTmE/arQEHIXWoVkStQGOYeM+5KxORy +CnaCRHPUlrUjcessE47GPmpM/JQoRisBDz+qVlANyHCmlRIIH/sf52bSCIT2teo UkzXrvDKj6pe3uI2+B1YhjsXvegCo4NzA1y+kU92WrTCd1n7EiZtJjUPB5lxFRko xJDOaDOBH9nflCeN1CGC8wlHQR3jVQ== =UC7H -----END PGP SIGNATURE-----